Inside InfoSec Law

When Does the Law Require Companies like Equifax to Disclose Their Data Breaches?

With the most recent Equifax data breach, many business owners may have questions about what their responsibilities are under the law to report data breaches. After all, Equifax was breached in May, the breach was discovered in July, and Equifax did not report the breach to the public until September. Why, considering the magnitude of the breach, did Equifax wait as long as they did to notify the public and how will the law treat Equifax for waiting so long?

The law in 48 states, the District of Columbia, Puerto Rico, Guam and the Virgin Islands currently requires that companies that suffer a data breach notify the public, although the specific requirements under the law vary from state to state. The only states that do not require breach notification are South Dakota and Alabama. Despite differences among the laws, the laws typically contain the same elements: a focus on personal information, a definition of covered entities, the level of harm a security breach must meet to trigger notification, who, when and how to notify, what to include in the notification and the particulars of enforcement. Exceptions to the law include businesses in certain industries like health care which are subject to stricter notification laws, businesses whose own procedures are compatible with state law requirements, or businesses whose data was encrypted or redacted at the time of the breach and remains secure. Other than these few exceptions, the laws apply to most businesses that handle the personal information of their customers.

All states use virtually identical language to describe the required timing of notifications, the most common phrase being “the most expeditious time possible and without unreasonable delay.” Most states allow for a delay in notification when the breach is a result of criminal activity, and a law enforcement agency has requested a delay because notification may impede their investigation.

It can be difficult and expensive for a large company with business operations throughout the country to comply with numerous standards for breach notification. There have been efforts in the past to streamline the laws into one federal law to ease the burden, however, those efforts have met resistance from states and the state attorneys general who prefer to keep enforcement authority in their hands for breaches that affect their state citizens. Due to the Equifax breach, this issue may be reexamined by members of Congress. Congressman Jim Langevin recently reintroduced the Personal Data Notification and Protection Act in response to the Equifax breach, which would preempt state laws and provide the sole breach notification standard. The Act was first introduced in 2015.

Unfortunately, the facts surrounding Equifax’s breach and the circumstances of who knew what, and when they knew it are still vague, so it is hard to apply the law here and determine the most probable outcome. Because of this data breach, lawsuits and investigations have been launched by the FBI, regulators such as the FTC, and numerous state attorneys general. Without more facts concerning the breach it is difficult to say whether the delay in notification was due to law enforcement, but it is not difficult to imagine that a breach of this magnitude would spur a wide ranging criminal investigation. Considering the current ongoing investigations and possible renewed efforts by Congress to examine the issues surrounding data breaches, the law may soon require scrutiny of the data practices of businesses at a level never before seen.

Disclaimer: The materials available at this web site are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this web site or any of the e-mail links contained within the site do not create an attorney-client relationship between the author or Elkins PLC and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

About Post Author

Geoffrey engages in a broad-ranging practice including real estate development, federal and state tax credits, partnership, corporate and securities matters, information security plans and cyber-security, information privacy, privacy policies, privacy compliance, as well as representation of non-profit entities. He is a co-author of the book "The Architecture of Cybersecurity" and a member of the Elkins, PLC Cybersecurity & Privacy Protection team. Geoffrey also holds a Certified Information Privacy Professional (CIPP/US) designation from the International Association of Privacy Professionals.